Token revocation policy


When an access token (or refresh token) is invalidated using Authlete /auth/revocation API, the corresponding refresh token (or access token) will be invalidated at the same time. 

How Authlete handles token revocation requests

On receiving a revocation request form a client, an authorization server will call Authlete's  /auth/revocation API with "parameters" parameter that contains content of the revocation request.

The revocation request from the client contains the following parameters as defined in RFC 7009.
The token that the client wants to get revoked.
 A hint about the type of the token 
submitted for revocation.

Authlete will assume the type of the token using the token_type_hint and look up the token of that type in its token database first. If no tokens of the type found, Authlete will next look up the token of the other type. If Authlete finds the token of either type, it will remove the token and corresponding one i.e. access token / refresh token pair.

In other words, the token_type_hint is not a parameter to specify the type of tokens to be removed. It is to help Authlete locate the token from its records. Authlete removes both the access token and the refresh token.

Details are as listed below.
how to locate the token record
look up the access token records first, and refresh token records next.
both access and refresh tokens
same as above
same as above
look up the refresh token records first, and access token records next.
same as above
How did we do with this article?